General
-
Target
MALZ6.zip
-
Size
17.8MB
-
Sample
250102-1ejbvswpcv
-
MD5
5ad5a10e0ae8eeb1bb6817c9d0cd960e
-
SHA1
ecb3ffcf79aedfa3c35c2dab0b4f5ca0f872b62c
-
SHA256
c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099
-
SHA512
05b6ee99e6843d928255daded5a699231c25275b726f68be2b67c6bfc59305bc2b2ad5ae6ab11e70ce975a3ad10e7acbb520601728d9e4b255b7891263828cdd
-
SSDEEP
393216:P7tKCblX9nuQNeyIvnpDDsIT0vyirPw9yesWcnE1zoQrq8:c6hVeyQpvsIgvyirPiKWcnkUr8
Malware Config
Targets
-
-
Target
客户端(Client)_KEY.exe
-
Size
1.2MB
-
MD5
b0aacc897731ccf1adee875390c6cfcf
-
SHA1
494182a125ce93921252c79f155d4c10db049899
-
SHA256
e182e12f86fcc70e57c6ed760c5789e6c1a08dac5b4bfb005509c1a7038e9990
-
SHA512
b3f8f4793d9b00f1015ea0f9a77a0cf6672fc700036781adf5d5e4c559573f191d4ef982e57e964f7ad107664995d6f5cab6bd20d81f9f6f592602468fab2eab
-
SSDEEP
24576:4zOhmv9L5ldZz5NLDvHvK2OZkh0y634ek4cKWd6JqjzD8E:wZHzz6y63Jk4bg0VE
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
UDP.exe
-
Size
31KB
-
MD5
161f6beec09cd33d710f8f97365ee6f6
-
SHA1
9c408d1b53a1d03e8c7a3f85e050870f3d9a741f
-
SHA256
f73a89b6a5c42d21ee4f7a4d79ad784cdfd896bbe2453b60cf9688786f7a9d98
-
SHA512
e9f2afd6ad8216fa0f34cca29ba4d8753a03b187f4e9c29a0607e9b2ad932b788cb9a75db54df0db522e2a20d54a12992ed2396f40f06ab8cd76a89bcbf1e6be
-
SSDEEP
384:+ubvs5ed2wcTZr5bDDOp61lpHwdkJAqJDPHYM:hshb9r5b3Op8lVbJTJwM
Score3/10 -
-
-
Target
a
-
Size
1.3MB
-
MD5
84839072ae06ae3e47d93f3b79067305
-
SHA1
eb578777ca88dcaa72cb9b22720618b2e3aa770f
-
SHA256
dd77459b8d76d9be75dde3f2aa8e8434b266bc98acd15966c6ae65a6620b10db
-
SHA512
3b004be47b8aef3ce9ee821d267ef4e36dfb2a17bdbbf8630f24f119f3ad26c862a79a1e8afafe7e98422479eb58dd8b2ee5c644d3aef84f9bb2eab991f878de
-
SSDEEP
24576:X8BHnVsZc1VZneCEuvLmJ7p9fomAmgAspprQYlGtmgmH1LJSwYS3uJdE0cG/v5FH:YHnVec1VZnezuvLmJrfvAmgAspprVlGR
Score8/10-
Writes memory of remote process
-
Loads a kernel module
Loads a Linux kernel module, potentially to achieve persistence
-
-
-
Target
arm1
-
Size
977KB
-
MD5
cb75be331a7b5cb54bae9db9f4ca643d
-
SHA1
789ccb024361d7a4911dfc77bf1c93442491c3c9
-
SHA256
8366aea8087a354cbd178f920770b35d785f988ec3649bb7e282d1e3272a6b77
-
SHA512
d16e503bb8434c324976747b9f90092fafdaafcc877c588b18c8d1c14c9d813552389dea496a1b2cacaea4e2ebfdec6a630c68e44c645d1a25da9076e6f4c32f
-
SSDEEP
12288:erXiRPpwBSHJB2A6f13P5D79dmuxlNzJs4dm3yxiD1WjfGAIFDFvyq766Pd8YTQ0:jvwlP5DJdrRJsskWU5RPdg2ByWwK3R
Score4/10 -
-
-
Target
bj.exe
-
Size
378KB
-
MD5
a770ebf2e59e29c7460a01241a0a493f
-
SHA1
97e59e483e1fa524a305828157a50203e918ada9
-
SHA256
ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
-
SHA512
4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
-
SSDEEP
6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
-
-
Target
bjyk.exe
-
Size
378KB
-
MD5
a770ebf2e59e29c7460a01241a0a493f
-
SHA1
97e59e483e1fa524a305828157a50203e918ada9
-
SHA256
ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
-
SHA512
4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
-
SSDEEP
6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
-
-
Target
cctv.exe
-
Size
221KB
-
MD5
dc655daf16748469712aa1d26336e087
-
SHA1
ad9df22536f9913229849d8ac7b3baff93529d71
-
SHA256
744d37a30b3e0085b55fb62c9f226a4fd42a2545bd246105ba5e99c8fbfe1011
-
SHA512
0e2c839ce3d7bcf3ea2766e07970b5c5fb77f8909d1f70225b2c075faced3f130e1a37104d6ecd17a8fa00e3303d90a46d0c296b22bac3e2762ae30f315c3e46
-
SSDEEP
6144:jzu6Kqcii29Z/3sXnr1eEKNTVCDk0PVLOgE:jp7i2wbJ0Vc/JE
Score10/10-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Loads dropped DLL
-
-
-
Target
cctv_2.exe
-
Size
48KB
-
MD5
e0a1361af24cc075e0cfb9e6a6a09cd3
-
SHA1
6b81a0773fd5a5f588302ef2231d2461544868aa
-
SHA256
71ef7e43615e286a5d424d2bafca90c03b05a1c216f1b3ac81997ee2d6bda8d7
-
SHA512
70815a447784599b423a4a4fb0c9d6821dd95244af8dd529ac51afa8d644ee16658cce748501b5f3283eec75ea1c967b225fb5400813f8fa5dc0c2dbe4de2401
-
SSDEEP
768:g+jOttjAoHTtNErVhg4xz8Jgo4KR3py9ma1Qxxbr:PiAgT0rVfF8JB4KR5omamx
Score10/10-
Modifies firewall policy service
-
-
-
Target
cn.exe
-
Size
520KB
-
MD5
2033a6d7d02690c31fa53d8717fc7ffb
-
SHA1
5ff0fb65c1322fba3f30a325097bd140ac9f508e
-
SHA256
5b81c2781d2c953f46fa7fdd815a31eebdaf8d402ab96457814cdf87583eaf1d
-
SHA512
8ec8cd260a54d138145ce1a2591ab3768f535518f7ea75967f5e7d89a1569a8ff4cdb33c85fb2fb31497e27aaf2a661c11fd7702fee73a0fa4652ed146d136c3
-
SSDEEP
12288:H8D0Pn8yQAOWqNujygoH8qCTxQSza+bqHKNci1/9aa:H8D0/JO/ujy9yTxDza3q2i1/9f
Score7/10-
Executes dropped EXE
-
-
-
Target
cn1.exe
-
Size
196KB
-
MD5
0731b597e61c2fd74577239fc53c794b
-
SHA1
85bf7df302e1e4e096ad8d385cac2ef004457ba9
-
SHA256
fe23577d1480bedcd63037921bbd5a55e86171c1a7dc97667df6a674ca0044fc
-
SHA512
6bf34bd045020a852dc2553869f67c30d13857c9fb228ae966fd2f794f607f7157933a4772c9e13e19c85bfec1f585d6e350cbcafb58c624f0aade78085664f4
-
SSDEEP
3072:zwSn0zvOvtYzwnqSioDXx4uE9w2qbMUeZPorQ/4/464Is9Um:U00zvOvtgSiod4uYzqAvZ1/w46Iym
Score7/10-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
dhl.exe
-
Size
378KB
-
MD5
a770ebf2e59e29c7460a01241a0a493f
-
SHA1
97e59e483e1fa524a305828157a50203e918ada9
-
SHA256
ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
-
SHA512
4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
-
SSDEEP
6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
-
-
Target
java
-
Size
1.5MB
-
MD5
e2be8944ce24abb4c0ed6858eb8d6157
-
SHA1
a9511dd764080aa0437fb586f2babd1c18214a6a
-
SHA256
59755333ce8c0e16e45340984a22a50f4cb6cb92f8fb85e452dfbec7596a4859
-
SHA512
815bed537eede7461d03b9ffab84b3f77ac43f3d5e47284b4c8a5052ab2eb82bc1563ab7375e3928dfb4a4179096d429143423bd780f2e037ec29ae8a4fee17a
-
SSDEEP
24576:hNJp/2SkgT4KUAopmhDO2Aan9XgnU6tZAf4Nzbm6g+qF2SdYOrhGB+bL+cH8y6LL:hNvOx/Vp/2bn9XgnNtmf28rhObccIwhL
Score4/10 -
-
-
Target
java (2)
-
Size
41KB
-
MD5
29096b156ac5bbd5bf44448d4c92f47a
-
SHA1
fec10cfed79d87d6d6867867f8730ffa39be31c9
-
SHA256
18b0893f3b143a70dc60b0d4da10b63f5fd172fedb63b857b281e0c19a0b0dbe
-
SHA512
f0f5d259b4d57e8361ea1d8bde69fa1eef6bd3a7614761b3d157a228f71bbf40ea1a2ab8edaa4760a332f6d7ff5404374cc11a437f57eee613eec4cf7b145380
-
SSDEEP
768:onP9R7JLjULRm7oKYNEfOVmXVtje7heNcfb+QuKfUGH4k53:69D3cD6WcFtC7h5CQXUGYk53
Score1/10 -
-
-
Target
java1
-
Size
1.5MB
-
MD5
b94d195896ac0aa647a2334f74e1aa73
-
SHA1
58792006cd89f0689a2eb4766af298305954c653
-
SHA256
fc10540c1effe99bdd7a9e1025bdda6813f5dbbdb6e89acdbf79df443a5bba49
-
SHA512
1d4f0427d6ffc456afa34e5edb1742a238866106a3cdbfa7866692aadd4810114f53111671d2fecbe396cf42f590f6beee29afee74893eb33bb0854ef78a3ef1
-
SSDEEP
24576:hNJp/2SkgT4KUAopmhDO2Aan9XgnU6tZAf4Nzbm6g+qF2SdYOrhGz+bL+cH8y6LL:hNvOx/Vp/2bn9XgnNtmf28rh0bccIwhL
Score7/10-
Loads a kernel module
Loads a Linux kernel module, potentially to achieve persistence
-
-
-
Target
k5.exe
-
Size
76KB
-
MD5
145c9edca1151d477e5c339b6d797cbd
-
SHA1
f09d773d50f87c47500305e79bc1e6fcf503ebd6
-
SHA256
ed989d9d7e04a312dffe2fdd8dd30273d5b07ee56941f1a724b6143752ef42da
-
SHA512
10f5d6cacbbc96fa22c097f5b519fe1738a5531820518af00cedf8ca9112808bc2c2871845f85f496a1d08695441262ab3ed57068e6d029ec1e5aabdb32d47df
-
SSDEEP
1536:bcPk2vG+Yq6GrXdOOq52m0HLxEulgsteEY+cZv8FYOicNx1q/6:v2vGM6GLdu52hHL6ulgsteEY+cZ90Nx1
Score10/10-
Modifies firewall policy service
-
Modifies RDP port number used by Windows
-
Executes dropped EXE
-
-
-
Target
ly1
-
Size
745KB
-
MD5
7878dedc8f99659f1e0bd43a8b20b25f
-
SHA1
968c61c19237efad875fb5da9ef468303fd18500
-
SHA256
fe686bb110b6af61f109de5b71239bb76ea75e0588ece3a0570393f310eb1026
-
SHA512
dd71e1da4bc6f82bd03110431e22fbed130b10c27ae16bf3d8c6760c0b11c5486dc475ba98cd0d35192bedf5bba836424d41289ba25c678bca8a636c117b7b0c
-
SSDEEP
6144:UTOzkT3puxmMmp9HovF3VBkFuPIMM2IutuXie+w7EQEtXqdTqBYWXChQyurnbOq3:2jHovzRu1ddTqDnUsIdk0KE43dcTDVSN
Score3/10 -
-
-
Target
mh.exe
-
Size
92KB
-
MD5
990ced068a35be3f8092c491bf2a6dbb
-
SHA1
b9303bd5671d66b7b5520da2a12f7243b05235f4
-
SHA256
22e44f753597c056b7b1eba9728043e7e6dbdf94f0f66f06e6bdd1fdba096fb2
-
SHA512
28ee629fc56a204f2e40f6f1c42e45dd142800ea07277d8d89f3d7522fbe290d32240668543e679b6e40e6d68b2f9a65cd6bf6168a4d9a79859e49df2ae5f48e
-
SSDEEP
1536:oPoRMUAPWbUFADNjKxoxQhy45mXKhpwvv2Uj281XQoYYqA:oP4ZSbENer5Toz6qXQ3
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Modifies firewall policy service
-
Executes dropped EXE
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
mips
-
Size
1.1MB
-
MD5
a883bae381125e862c109af67b3cfda4
-
SHA1
852f169460932eb49c13fb6050fcdbafcd354af9
-
SHA256
5d9f4ec734cf44f342a45f7de4ba0e208ec141ce47e32b3bc7d0666eff538fe5
-
SHA512
40a9804c5f900c3370ac856172c496347faec0187489c9e5d496923dc27f7b2138bfa2c43550acab44fb331ced5e2993fe84ff737f87275fbb74a4eb7b502738
-
SSDEEP
12288:v0gZjw/mGyri7g8Nyllxm+KYCy1aPrfWf47b/d+qdeaQklaHhmM7tL+GSPlXJZra:VETLPAFHcMJ6l5ZZVtGAi3YKhAxtK
Score4/10 -
-
-
Target
pjhxx
-
Size
544KB
-
MD5
c819b1705f2938ac258397c29618fceb
-
SHA1
f6079e473b0f937e3dd6a8f9b76549925ca32f60
-
SHA256
609a5f0e44f1723d29f258c4459a532b75c9c1b2bd26607384d17352150dd3a6
-
SHA512
70b564bcd85289e3a7f00d98b3f587db8255ea1eca7938988f1f6c6673214e50de8c0e3ecb8d554d32bd5489d758c45fe4901d462c0f013ef28b8676bcd8f53b
-
SSDEEP
12288:yCAn8AR1vaStp/35mnngohox5aczgLXKJFV+61m0nwyhes/tB:yCa8ARRfmnnphS5aczgzKJFVhtwyhD
Score1/10 -
-
-
Target
rootkit
-
Size
357KB
-
MD5
80b21dcc410fcd97098e8b804ba1dd27
-
SHA1
8eab144db8af9bfb3c633b373489c6799f2ad5cf
-
SHA256
548d1e891b2837e28c6e495fd1e5788ab650d169c53ade1f0cadf005d8657316
-
SHA512
7f8a5335a0b37bf760825c00fb0b685f85bebed212533c725748e3cafd8f4e79fa09e1b152bb7612ee1091bed49f35aa728a5f42e775bc80788535c16e34a60d
-
SSDEEP
6144:4LZVne1+4AtZTefDUuipumMP+tjwPn2OFfRA/7pmuxEkV3ufBrCkRNcl4/YGA/u:4dVne09J8UbpumMP+tjwPn22pAjN3ufv
Score8/10-
Modifies password files for system users/ groups
Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE
-
OS Credential Dumping
Adversaries may attempt to dump credentials to use it in password cracking.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Writes DNS configuration
Writes data to DNS resolver config file.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies rc script
Adding/modifying system rc scripts is a common persistence mechanism.
-
Write file to user bin folder
-
Writes file to system bin folder
-
-
-
Target
se.exe
-
Size
96KB
-
MD5
b7b347f1aebf2ef10369faf14e0bb2fb
-
SHA1
258e9a1ec916d66b510849192fba6c05fdcdaec7
-
SHA256
589b185221797c8dc67bc586f8c2e3c463a06771e53744afa082c04be7fe5763
-
SHA512
4baa49881edb3dea09d6ba8a71cbbcfc597a94657ef2265a5bffb38d2d481579e4215c5674360d490bd3a2913017b606c7e14564db64f645d910e809271b44d3
-
SSDEEP
1536:GRtxXnig5/VUJyWryEXe8T1g6hypxc/lkJ5jj1fV8cGDmtY:GhN5/VmbTC6hyQ/OJRj1V8cGCtY
Score7/10-
Deletes itself
-
Executes dropped EXE
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Pluggable Authentication Modules
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Windows Service
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1File Deletion
1Modify Authentication Process
1Pluggable Authentication Modules
1Modify Registry
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
3System Checks
1Credential Access
Adversary-in-the-Middle
1Modify Authentication Process
1Pluggable Authentication Modules
1OS Credential Dumping
1/etc/passwd and /etc/shadow
1